Hi all, this topic was probably discussed before, but unfortunately I couldn't find an explanation for the behavior I am experiencing.
I am developing a minifilter driver which goal is to prevent certain contents from being written to a (normal) file (could be any file).
My idea was to set a PreWrite callback which will check for this data and block accordingly. I only want to audit the IRPs that actually write data to disk, so I first check if IRP_NOCACHE is set, and if so - only then check the data.
Attaching a POC:
FLT_PREOP_CALLBACK_STATUS
MyPreWrite(
Inout PFLT_CALLBACK_DATA Data,
In PCFLT_RELATED_OBJECTS FltObjects,
Flt_CompletionContext_Outptr PVOID* CompletionContext
)
{if (!FlagOn(Data->Iopb->IrpFlags, IRP_NOCACHE)) { return FLT_PREOP_SUCCESS_NO_CALLBACK; } if (!is_interesting_file(Data->Iopb->TargetFileObject)) { return FLT_PREOP_SUCCESS_NO_CALLBACK; } if (!is_interesting_data(Data->Iopb.Parameters.Wite)) { return FLT_PREOP_SUCCESS_NO_CALLBACK; } Data->IoStatus.Status = STATUS_ACCESS_DENIED; Data->IoStatus.Information = 0; return FLT_PREOP_COMPLETE;}
The issue is that it seems that in this case the lazy writer will keep on trying to flush the data forever.
I also tried to set the Status to STATUS_SUCCESS. In this scenario the lazy writer does stop, but the data is being written to the disk.
Is this the expected behavior? And if so, how do I prevent the contents from being written? I don't want to audit every cached write as these are probably way more frequent.
Appreciate your help.